- MASVS (Mobile Application Security Verification Standard)
Security Standard - focus on how mobile apps handle, store, protect sensitive information and Standardize the security requirements with a baseline for mobile app security, allowing defense-in-depth measures and protection against client-side threats.
MASVS only covers the security of the client-side mobile app.
-
Mobile Attack Surface
- Storage
- Cryptography
- Authentication & Authorization
- Network communication
- Platform interaction
- Code quality
- Resilience against reverse engineering & tampering
-
Each control group is labeled with MASVS-XXXXX and each individual control with MASVS-XXXXX-Y.
-
Security Testing Profiles
- before 2023: 3 verification levels (L1, L2, R)
- 2023: alighend with NIST OSCAL
-
Native apps written in Java/Kotlin for Android or Objective-C/Swift for iOS.
-
Apps based on cross-platform (Flutter, React Native, Xamarin, Ionic, etc.) and hybrid (Cordova, PhoneGap, Framework7, Onsen UI, etc.) frameworks - susceptible to platform-specific vulnerabilities.
Secure storage of sensitive data on a device (data-at-rest).
- PII (Personally identifiable information)
- Cryptographic material
- Secrets, Credentials
- API keys
Any sensitive data intentially stored by the app must be properly protected, regardless of the target (internal storage) location. If possible, use hardware-backed security features for apps development.
The app securely stores sensitive data.
- Intentional storage location may be:
- app's internal (private) storage
- public (accessible by user/other apps)
- Ensure any sensitive data is properly protected
The app prevents leakage of sensitive data.
- Unintentional (public) storage location
- using certain APIs, backup, logs
- Ensure prevention of unintentional leaks
Cryptographic functionality used to protect sensitive data.
- Ensure that the app uses cryptography and keys management (generation, storage, protection, encryption) according to industry best practices
- Avoid physical access to sensitive data
The app employs current strong cryptography and uses it according to industry best practices.
- External cryptography standards for securing the user's data
The app performs key management according to industry best practices.
- Manage cryptographic keys lifecycle (generation, storage, protection)
Authentication and authorization mechanisms used by the mobile app.
- Implement correct user identity validation with Biometrics, Pin, multi-factor authenticatin code generators, to prevent unauthorized access.
- Remote/local app secure auth
The app uses secure authentication and authorization protocols and follows relevant best practices.
- Apps must use secure protocols to authenticate to a remote endpoint
The app performs local authentication securely according to the platform best practices.
- Correctly implement local & remote authentication (biometrics, local PIN code)
The app secures sensitive operations with additional authentication.
- Securely implement additional authentication methods for sensitive actions inside the app (biometric, pin, MFA, email, deep links, etc)
Secure network communication between the mobile app and remote endpoints (data-in-transit).
- Ensure exchanged data confidentiality and integrity
- Apps must set up a secure, encrypted network communicatino channel using the TLS protocol.
- Trust only specific Certificate Authorities
The app secures all network traffic according to the current best practices.
- Ensure in-transit Data privacy & integrity, using TLS protocol, in any situation, avoiding security bypass/disabling
The app performs identity pinning for all remote endpoints under the developer's control.
- Only very specific CAs are trusted = certificate/public key pinning
Secure interaction with the underlying mobile platform and other installed apps.
- Mobile platform app's interactions must occur securely, using secure platform-provided IPC mechanisms & WebView configurations
- IPC (inter-process communication)
- Prevent sensitive data leakage
- Secure display sensitive data in app's user interface (passwords, credit card details, one-time pwds notifications)
The app uses IPC mechanisms securely.
- Ensure secure interactions (through IPC mechanisms) between user and installed apps
The app uses WebViews securely.
- Secure WebViews configuration, preventing data leakage & sensitive functionality exposure (e.g. JavaScript to native code)
The app uses the user interface securely.
- Avoid data unintentionally leakage due to platform mechanism (screenshots, UI data displaying)
Security best practices for data processing and keeping the app up-to-date.
- Data entry points: UI, IPC, Network, File System
- Treat data as untrusted input, verify and sanitize it before use - prevention of injection attacks (SQL, XSS, insecure deserialization) and bypass of security checks
The app requires an up-to-date platform version.
- Ensure users have the latest security protections (OS patches)
The app has a mechanism for enforcing app updates.
- Force app updates
The app only uses software components without known vulnerabilities.
- Conver "low-hanging fruits" by scanning libraries for known vulnerabilities
The app validates and sanitizes all untrusted inputs
- Data inputs sanitized before usage: UI, IPC, network, file system, etc
Resilience to reverse engineering and tampering attempts.
- Defense-in-depth measures (code obfuscation, anti-debugging, anti-tampering, etc)
- App run on trusted platform, prevent runtime tampering, integrity of app's inteded functionality
- Quanto l'app è in grado di resistere ad un attacco mirato?
- e.g. Se l'app B2C root check, antiroot, saperlo e bloccarsi
The app validates the integrity of the platform.
- Validates the OS is not tampered/compromised and its security features can be trusted.
The app implements anti-tampering mechanisms.
- Ensure app's integrity, preventing original code and resources modifications
The app implements anti-static analysis mechanisms.
- Impede comprehension of the app's functioning with static analysis.
The app implements anti-dynamic analysis techniques.
- Prevent dynamic analysis/instrumentation of the app, avoiding code modification at runtime